07.09.2019 Is your network safe from password spraying?

by Andrew Milne

As cyber criminals become more skilled at cracking passwords and gaining access to networks, password security continues to be top of mind for global IT professionals.

Just recently, an advisory was issued from the Australian Cyber Security Centre (ACSC) warning Australian businesses about a high volume of password spraying attacks taking place. And a few months prior to this, U.S.-headquartered Citrix Systems, known as a leading international enterprise network solutions provider, fell victim to password spraying. Initial analysis revealed that cyber criminals may have exploited weak passwords in an internal Citrix network.

Password attacks, especially attempts that result in high-profile compromises of enterprises, serve as reminders for strong password policies and best practices.


Password: Understanding the types of passwords attacks

Looking at methods typically used to exploit password vulnerabilities can help every user understand the value of using complex passwords and enforcing security measures like multi-factor authentication to improve password security.

Let’s take a closer look:

  • brute force attack is often the easiest way for cybercriminals to gain access to a site or server by using a trial-and-error method of username and password combinations again and again until entry is gained. This method is typically used to target a single account by guessing the password. Due to the repetitive action, brute force attacks are compared to an army attacking a fort.


  • A dictionary attack relies on combinations of common words in an attempt to guess well-known phrases or words. Attackers use single words, or word lists that could be found in a dictionary, preying on users that have set up short, simple words for passwords.


  • A key logger attack, or keystroke attack, uses a program to track and record a user’s keystrokes, including login IDs and passwords. This differs from a brute force or dictionary attack because sophisticated malware is used to record the keystrokes and the attacker must first access the user’s device by fooling the user into downloading a file or clicking a link. Multi-factor authentication is a good defense against key logging, making exploitation more difficult for an attacker.


  • A password spraying attack uses a single password across multiple accounts before trying a second password. Thismethod can test a lot of passwords without triggering account-lockout protections. When an attacker targets a large number of accounts, there is a greater chance that some users will have common passwords in place and can be easily compromised.


Are your passwords among the top 1,000 used?

As we discussed in a Field Effect blog earlier this year, passwords are unfortunately becoming the problem rather than the solution they were designed to solve. Weak or commonly-used passwords often enable fast access in these common types of attacks. For example, the National Cyber Security Centre (NCSC) ran a study two years ago to help organizations assess how vulnerable they are to password spraying attempts. The study found that an estimated 75% of the organizations participating in the study had accounts with passwords in the top 1,000-commonly used passwords. Nearly 90% had accounts with passwords in the top 10,000.

In addition to commonly-used passwords, cyber criminals also target organizations that are using single sign-on (SSO) and federated authentication protocols that may not have deployed multi-factor authentication.   


Would you be able to identify suspicious login attempts?

Here at Field Effect, our threat monitoring, vulnerability discovery, and audit tools are regularly used to identify suspicious login attempts. For example, we recently deployed our Covalence incident monitoring and detection solution for a business customer’s network, with these results within just an hour:

  • Identified a Remote Desktop Service (RDS) was internet accessible.
  • Identified and blacklisted several IPs that were making several thousand connection attempts.
  • Disabled external accessibility to the RDS service.


In the analysis reports we regularly provide our Covalence clients, we also include a summary of the accounts most targeted by brute force attempts and those accounts that do not have multi-factor authentication enabled. With this analysis, we include actions required, recommendations, or observations to help businesses improve their password security as well as the overall health and hygiene of their entire network.


How can you defend against password spraying attacks?

To protect your network and users against password spraying attacks, we recommend the following best practices:

  • At a minimum, ensure two-factor authentication is enabled on all user accounts.
  • Reduce the number of exposed services and interfaces in your IT infrastructure – reduce your threat surface.
  • Consider using additional safeguards that require authentication prior to allowing access to interfaces and systems.


Covalence: a defense against password spraying attacks

If you’re enforcing best password security practices and using two-factor, or even multi-factor authentication, you’re ahead of the game.  Continually monitoring suspicious activity on your network is also critical.

We can help. Our Covalence platform provides comprehensive incident monitoring, vulnerability detection, analysis, and response services and capabilities that help businesses understand, identify, and reduce the threats targeting their networks.


Here are just a few examples of how we protect against password spraying:

  • Our Covalence network monitoring solution:
    • Analytic tools to identify RDP brute force attacks
    • Analytic tools for blacklisting of IPs from AbuseIPDB (a community resource for reporting of malicious IPs – scanning, password spraying, etc).
    • Analytic tools to identify exposed services on the outbound IP


  • Our Covalence cloud monitoring solution:
    • Analytic tools to detect brute force attempts on Office 365, G suite and other cloud services.


Do you have questions about password security and enforcing best practices or new policies? Reach out to our experienced Field Effect team of analysts today.












Request Demo

Fill out the form and we will send you details about our demo.